Re: [OAUTH-WG] WGLC on Assertion Drafts

"Zeltsan, Zachary (Zachary)" <zachary.zeltsan@alcatel-lucent.com> Fri, 13 April 2012 18:55 UTC

Return-Path: <zachary.zeltsan@alcatel-lucent.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47AA521F8564 for <oauth@ietfa.amsl.com>; Fri, 13 Apr 2012 11:55:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.932
X-Spam-Level:
X-Spam-Status: No, score=-7.932 tagged_above=-999 required=5 tests=[AWL=-1.334, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w27cVr3S8JAv for <oauth@ietfa.amsl.com>; Fri, 13 Apr 2012 11:55:25 -0700 (PDT)
Received: from ihemail4.lucent.com (ihemail4.lucent.com [135.245.0.39]) by ietfa.amsl.com (Postfix) with ESMTP id 218AC21F8557 for <oauth@ietf.org>; Fri, 13 Apr 2012 11:55:25 -0700 (PDT)
Received: from usnavsmail2.ndc.alcatel-lucent.com (usnavsmail2.ndc.alcatel-lucent.com [135.3.39.10]) by ihemail4.lucent.com (8.13.8/IER-o) with ESMTP id q3DItLwj004605 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 13 Apr 2012 13:55:22 -0500 (CDT)
Received: from USNAVSXCHHUB03.ndc.alcatel-lucent.com (usnavsxchhub03.ndc.alcatel-lucent.com [135.3.39.112]) by usnavsmail2.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id q3DItLMR031696 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Fri, 13 Apr 2012 13:55:21 -0500
Received: from USNAVSXCHMBSA3.ndc.alcatel-lucent.com ([135.3.39.119]) by USNAVSXCHHUB03.ndc.alcatel-lucent.com ([135.3.39.112]) with mapi; Fri, 13 Apr 2012 13:55:21 -0500
From: "Zeltsan, Zachary (Zachary)" <zachary.zeltsan@alcatel-lucent.com>
To: "'Chuck Mortimore'" <cmortimore@salesforce.com>, "'Tschofenig, Hannes (NSN - FI/Espoo)'" <hannes.tschofenig@nsn.com>, "'oauth@ietf.org'" <oauth@ietf.org>
Date: Fri, 13 Apr 2012 13:55:18 -0500
Thread-Topic: [OAUTH-WG] WGLC on Assertion Drafts
Thread-Index: Ac0TOvMdI0KJHLgrSYOXF98LEO+MPAALZYCwAYxJK94AA0dS0A==
Message-ID: <5710F82C0E73B04FA559560098BF95B1250E8BAD72@USNAVSXCHMBSA3.ndc.alcatel-lucent.com>
References: <5710F82C0E73B04FA559560098BF95B1250DE5716F@USNAVSXCHMBSA3.ndc.alcatel-lucent.com> <CBADAE5A.2A162%cmortimore@salesforce.com>
In-Reply-To: <CBADAE5A.2A162%cmortimore@salesforce.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_5710F82C0E73B04FA559560098BF95B1250E8BAD72USNAVSXCHMBSA_"
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.39
X-Scanned-By: MIMEDefang 2.64 on 135.3.39.10
Subject: Re: [OAUTH-WG] WGLC on Assertion Drafts
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Apr 2012 18:55:27 -0000

Chuck,

The intent is clear. Perhaps the following change would clarify the text:
Old: The Authorization Server MUST validate the assertion in order to establish a mapping between the Issuer and the secret used to generate the assertion.
New: The Authorization Server MUST validate the assertion's signature in order to verify the Issuer of the assertion.

Zachary


From: Chuck Mortimore [mailto:cmortimore@salesforce.com]
Sent: Friday, April 13, 2012 1:20 PM
To: Zeltsan, Zachary (Zachary); Tschofenig, Hannes (NSN - FI/Espoo); oauth@ietf.org
Subject: Re: [OAUTH-WG] WGLC on Assertion Drafts

Hi Zachary - sorry about the delay in responding.

Perhaps the language is a bit confusing - let me explain the intent and see if it makes sense and if you have a recommendation on how it could be made clearer.

All this is really saying is that the Authorization server must validate the signature to make sure the Issuer is who they say they are.   The authorization server would use the Issuer as it's mechanism for looking up either the shared secret for an HS256 or the public key for RS256.   It then checks the signature, and proves to itself that the generator of the assertion had possession of the expected keying material and identified itself as the issuer.

Feedback welcome

-cmort

On 4/5/12 1:33 PM, "Zeltsan, Zachary (Zachary)" <zachary.zeltsan@alcatel-lucent.com> wrote:
Hello,

The draft http://tools.ietf.org/html/draft-ietf-oauth-assertions-01, section 6.1 has the following requirement:

The Authorization Server MUST validate the assertion in order to
      establish a mapping between the Issuer and the secret used to generate the assertion.

I thought that checking a signature is a part of the assertion validation, which cannot be done without knowing the mapping between the issuer and the secret used to generate the assertion.
It appears that the quoted text requires validation of the assertion prior to checking the signature.
What am I missing?

Zachary


From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Tschofenig, Hannes (NSN - FI/Espoo)
Sent: Thursday, April 05, 2012 10:47 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] WGLC on Assertion Drafts

Hi all,

this is a Last Call for comments on these three documents:

http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-10

http://tools.ietf.org/html/draft-ietf-oauth-assertions-01

http://tools.ietf.org/html/draft-ietf-oauth-urn-sub-ns-02

Please have your comments in no later than April 23rd.

Do remember to send a note in if you have read the document and have no other comments other than "it's ready to go" - we need those as much as we need "I found a problem".

Thanks!

Hannes & Derek